Ask About...Retail, Fashion and Hospitality

19 June 2018

Many of our clients in the retail, fashion and hospitality sector face similar HR issues. Each month one of the members of our team will identify an issue, ask how you would deal with it and provide our advice. This month we asked Laura...

I’m the HR Director at a local chain of bakeries. We have about 100 employees across our units and have just received a Subject Access Request (SAR) from a former employee. This has prompted our MD to ask me to “sort out” whatever else we need to do regarding “all that data stuff” now that the GDPR has come into force.

I’ve dealt with a few SARs under the Data Protection Act 1998 rules. I’m planning to deal with this SAR it in much the same way as I did before. Regarding all the other “data stuff” and the new GDPR, we’re a small organisation and we’re always pretty careful with the small amount of “data” we have to handle - so I’m working on the assumption that there’s nothing much to worry about or do differently, particularly with our imminent withdrawal from the EU. And regarding employee data in general, I’m planning to put a simple clause in our employment contract covering off GDPR.

Please let me know if my suggested approach is okay.

A.Yes all of that sounds fine. We’re leaving the EU and the GDPR is an EU law. You need to ensure you carry out the recent SAR in compliance with the GDPR, but thanks to Brexit, once we withdraw from the EU, things will almost certainly change back to the way it was.

B No, it isn’t I’m afraid. A lot has changed and the more stringent data protection regulations in the GDPR are now part of UK law. Amongst other things, you need to put in place a privacy notice which complies with the GDPR including the legal bases for and purposes of your data processing. SAR requirements have also changed. Changing nothing could leave you liable to far harsher penalties than before.

C. Yes that approach sounds okay although GDPR is here to stay, regardless of Brexit. Providing you include a simple clause in your employment contracts covering off GDPR, you’re fine. Failure to do so leaves you liable to a penalty of up to €20million.

D. Well, you’re nearly there with that approach! Make sure that you delete all personal data you do not need and cover off GDPR in your employment contracts to obtain consent for the use of personal data. For existing employees, make them aware that you have their personal data stored and it may be used in future.

The correct answer is B.

The EU General Data Protection Regulation (GDPR) took effect in all EU countries on 25 May 2018 and has been implemented in the UK via the Data Protection Act (DPA) 2018. The new DPA will replace the DPA 1998. The new DPA will also continue as part of UK law when we leave the EU - so there’s no ignoring it!

This new data regime is much more stringent and can result in much higher penalties than under the old legislation. This means that your suggested approach isn’t okay I’m afraid. There are a number of areas where you’ll need to take some action, as a lot has changed.

It’s a complex area of law and we can’t attempt to deal with all employment aspects of it now, but here are a few pointers.

Data processing: You need to consider what workforce data you process and why, where you send it and who you share it with. This is because you need to identify the legal basis (or bases) on which you are processing the data. It’s unlikely to be practical for you to rely on consent for data processing (as you may have done under the old DPA). Under the GDPR, consent to processing in the context of a contractual employment relationship cannot be considered as freely given. This means that in most cases you will probably need to rely on “legitimate interest” as the basis for your processing.

Privacy notices: You will need to update your privacy notices and determine which sections require modifications to comply with the GDPR checklist, including the review of its style and formatting. (This is assuming you have one - if not, you need to prepare one.) You must also ensure employees are notified of the updated privacy policies. Examples of what the notices must include are:

The legal basis and purposes of data processing and the personal data retention periods;

How you store the personal data;

Recordkeeping requirements to demonstrate compliance with the GDPR;

Your organisation’s contact details and identity; and

Contact details for the data protection officer, if applicable.

Subject access requests (SARs): One of the key changes is that you can no longer charge individuals when they make a SAR. This is likely to result in a rise in the number of SARs, so be prepared for more requests. Also, the timeframe for response has now been shortened to 30 days from the date of receipt of the request. Remember to redact or anonymise where appropriate when you review the individual’s personal data. If you disclose personal data about another individual who has not expressly consented this will be a breach of the GDPR.

Data breaches: Another change in the new legislation is that there are now more stringent requirements regarding data breaches including, in some circumstances, notification of breaches to the Information Commissioner’s Office (ICO).

Penalties: The ICO is imposing harsher penalties for non-compliance with the GDPR with a limit of €20million or 4% of your annual turnover, whichever of the two is higher. That’s in addition to compensation and damages that claimants may be entitled to under their enhanced rights. We’ve seen significant sums imposed on WM Morrison Supermarkets and Carphone Warehouse recently, and now with more stringent regulations and a much increased maximum penalty there’s a greater need for you to comply.